Windows Service DefaultCredentials are empty?

Discussion in 'ASP .Net Web Services' started by The Man From SQL, Aug 22, 2006.

  1. Hello,

    I have a v1.1 Windows Service that calls a v1.1 web service asynchronously.
    Both the windows service and web service are on the same Server 2003 machine.
    The Web Service is wrapped in Oracle CoreID for security and uses Integrated
    Windows Authentication with Basic as the authentication level. The Windows
    Service runs under a Windows Account (let's call it TMP\bob). The CoreID
    consumer instructions are that I only need to explicitly set the web client
    proxy's credentials to DefaultCredentials, like so:

    ws.Credentials = System.Net.CredentialCache.DefaultCredentials;

    When I try to access the web service front page from a browser and enter the
    bob's credentials at the login prompt, I am able to access the site.

    When I call the web service from a console app specifying DefaultCredentials
    (my own windows account also has permissions to access this web service), I
    am able to access the site.

    When I call the web service from a console app and create a new
    NetworkCredential for TMP\bob, I am able to access the site.

    When I create a Windows Service and run it under either my login or bob's
    login and try to call the web service, I get an HTTP 401 Unauthorized error.

    I've read online about the double hop problem, but mostly in relation to
    ASP.NET clients, not Windows Service clients. Plus, it works from a console
    app.

    I'm at a loss as to what to do and I don't want to have to store and encrypt
    the user name and password somewhere. Can someone explain why the Windows
    Service call doesn't work and some possible workarounds?

    Thanks very much,

    TheManFromSQL
    The Man From SQL, Aug 22, 2006
    #1
    1. Advertising

  2. Hi Steven,

    Thanks very much for your reply. I think I was able to get to the bottom of
    this issue yesterday by doing some digging online. How I was able to get it
    to work is by setting the web proxy's PreAuthenticate property to true before
    I set the credentials.

    MyWebService ws = new MyWebService();
    ws.PreAuthenticate = true;
    ws.Credentials = System.Net.CredentialCache.DefaultCredentials;

    For some reason, this worked doing the asynchronous call. The documentation
    page on the PreAuthenticate property leads me to believe that an asynchronous
    call, for some reason, doesn't resubmit when it gets a 401 error.

    From the MSDN documentation:

    "When PreAuthenticate is true, the WWW-authenticate header is sent with the
    first request if the authentication mechanism supports doing so. When
    PreAuthenticate is false, a request is made to the XML Web service method
    without initially attempting to authenticate the user. If the XML Web service
    allows anonymous access, then the XML Web service method is executed. If
    anonymous access is disallowed, a 401 HTTP return code is sent back to the
    client. In response, the WebClientProtocol class returns authentication
    credentials to the Web server. If the client is authenticated and
    subsequently authorized to access the XML Web service, the XML Web service
    method is executed; otherwise the client is denied access."

    The security tool our server team is using (CoreID), is an ISAPI filter so
    it may have been killing the request when it saw that it was anonymous and
    not allowing a retry.

    But that still doesn't explain why I was able to hit the web service
    asynchronously from a console app using the same credentials.

    This morning we install the new Windows Service to QA (I was trying to hit
    the QA web service from my machine) and see if the changes take.

    "Steven Cheng[MSFT]" wrote:

    >
    > Hi Man,
    >
    > From your description, when calling a local webservice (protected through
    > IIS intergrated windows authentication) in your windows service
    > application, you're getting 401 error at client-side, and the same client
    > application code works in other console client applications, correct?
    >
    > Based on my experience, calling webservice through proxy in windows service
    > and pass credential by "System.Net.CredentialCache.DefaultCredentials" is
    > definitely supported. Actually, the
    > "System.Net.CredentialCache.DefaultCredentials" will reference the current
    > windows security identity of the running process/thread. I've just created
    > a simple C# NT service which running under a local user account and access
    > a local webservice(win2k3 iis6) with windows authentication and it works
    > well. I have put some code in the service applicaion to trace the current
    > windows identity (when service start, calling webservice synchornously or
    > asynchornously) and it always display the service's logon account
    > (configured in SCM).
    >
    > currently, I think you can try checking the following things:
    >
    >
    > 1. Check the IIS log to see what's the detailed log entry of the failed
    > webservice calls from windows service.
    >
    > 2. test though some other simplified windows service(you can use my test
    > service if necessary) to see whether it works. In the service code, we can
    > log the windows identity
    >
    > 3. On the machine's eventlog, you can check whether there is any entries
    > that associated with your service.
    >
    > 4. Since webservice call will perform network operations, make sure the
    > user account is granted "Access this computer from the network" privilege
    > in the LSA.
    >
    > BTW, I notice that you're calling the webservice asynchronously, are you
    > just using the proxy.beginXXX method? Or are you spawn separate thread to
    > do the work? I suggest you try simplifed code first to isolate the issue.
    > Also, on your computer, check the
    >
    > I've attached my test windows service project in this message, you can get
    > it if you're using Outlook express to visit the newsgroup. If necessary, I
    > can send you via email also.
    >
    > Please feel free to let me know if there is anything I missed or any other
    > information you wonder.
    >
    > Sincerely,
    >
    > Steven Cheng
    >
    > Microsoft MSDN Online Support Lead
    >
    >
    >
    > ==================================================
    >
    > Get notification to my posts through email? Please refer to
    > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    > ications.
    >
    >
    >
    > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    > where an initial response from the community or a Microsoft Support
    > Engineer within 1 business day is acceptable. Please note that each follow
    > up response may take approximately 2 business days as the support
    > professional working with you may need further investigation to reach the
    > most efficient resolution. The offering is not appropriate for situations
    > that require urgent, real-time or phone-based interactions or complex
    > project analysis and dump analysis issues. Issues of this nature are best
    > handled working with a dedicated Microsoft Support Engineer by contacting
    > Microsoft Customer Support Services (CSS) at
    > http://msdn.microsoft.com/subscriptions/support/default.aspx.
    >
    > ==================================================
    >
    >
    >
    > This posting is provided "AS IS" with no warranties, and confers no rights
    The Man From SQL, Aug 23, 2006
    #2
    1. Advertising

  3. Thanks for your reply,

    As for the "PreAuthenticate" property you mentioned, it is abit unexpected
    because in my local test environment, I never explicitly assign this
    property(no matter in sync or async mode when calling the webservice).

    BTW, as for the CoreID security tool, have you tried on a webservice (same
    authentication setting in IIS) which is not secured by this tool? If such
    as service can be called successfully without explicitly setting the
    PreAuthenticate property, the problem is likely specific to the security
    tool's internal authentication implementation.

    Please feel free to let me know if there is any new finding or any other
    question you wonder.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead



    This posting is provided "AS IS" with no warranties, and confers no rights.
    Steven Cheng[MSFT], Aug 24, 2006
    #3
  4. Steven,

    Thanks for your post. It turned out that after we applied the fix and
    redeployed to the Server 2003 environment we continued to get the error. So
    it's back to the drawing board.

    Question about your web service/windows service model. Is the windows
    service calling an asynchronous web service and specifying a callback and an
    Asyncstate parameter? If not, are you able to test this scenario?

    Thanks very much,

    TheManFromSql

    "Steven Cheng[MSFT]" wrote:

    > Thanks for your reply,
    >
    > As for the "PreAuthenticate" property you mentioned, it is abit unexpected
    > because in my local test environment, I never explicitly assign this
    > property(no matter in sync or async mode when calling the webservice).
    >
    > BTW, as for the CoreID security tool, have you tried on a webservice (same
    > authentication setting in IIS) which is not secured by this tool? If such
    > as service can be called successfully without explicitly setting the
    > PreAuthenticate property, the problem is likely specific to the security
    > tool's internal authentication implementation.
    >
    > Please feel free to let me know if there is any new finding or any other
    > question you wonder.
    >
    > Sincerely,
    >
    > Steven Cheng
    >
    > Microsoft MSDN Online Support Lead
    >
    >
    >
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    >
    >
    The Man From SQL, Aug 24, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Craig
    Replies:
    1
    Views:
    10,972
    shobhaiyer
    Oct 3, 2007
  2. Guest
    Replies:
    1
    Views:
    475
    yuri vanzine
    Dec 9, 2003
  3. =?Utf-8?B?TmlrbGFzIFVobGlu?=

    Empty CredentialCache.DefaultCredentials

    =?Utf-8?B?TmlrbGFzIFVobGlu?=, Sep 11, 2006, in forum: ASP .Net
    Replies:
    1
    Views:
    5,339
    engsooonah
    Apr 10, 2007
  4. TomislaW

    why DefaultCredentials are empty?

    TomislaW, Apr 4, 2008, in forum: ASP .Net
    Replies:
    0
    Views:
    547
    TomislaW
    Apr 4, 2008
  5. SP
    Replies:
    0
    Views:
    150
Loading...

Share This Page